Archive for Group Policy

Creating the SBS MyBusiness OU

The SBS products (SBS 2003/2008/2011) all included a pre-installed set of Group Policy OU’s called MyBusiness. Organizational Units (OU’s) are used to organize users and computers (workstations and servers) in order to manage and apply specific rules and policies.

However, the Essentials products (SBS 2011 Essentials, Windows 2012 Essentials) do not include the MyBusiness OU. So, if you wish to keep consistency between the SBS and Essentials platforms, you will need to create this on your own. One reason for doing this would be to implement the Group Policies related to blocking the CryptoLocker ransomware.

Fortunately, Microsoft did identify the basic steps for creating the MyBusiness OU in KB 2578426 and scroll down to Issue 3 / Rule 3 in the KB article for the required steps.

To (re)create the MyBusiness OU manually. To do this, follow these steps:

  1. Open Active Directory Users and Computers.
  2. Right-click the domain name object. In the shortcut menu, point to New…, and then click Organizational Unit. Type MyBusiness to name the new object.
    Note Type MyBusiness as one word.
  3. In the MyBusiness OU that you created in step 2, create the following OUs:
    • Computers
    • Distribution Groups
    • Security Groups
    • Users
  4. In the Computers OU that you created in step 3, create the following OUs:
    • SBSComputers
    • SBSServers
  5. In the Users OU that you created in step 3, create the following OU:
    • SBSUsers

After you have finished these steps, your Group policy structure should look like this:

2620671

Resolving SBS 2011 BPA Warning – Administrator Rights for Batch Jobs

This post describes how to resolve the following warning when running the Best Practices Analyzer for SBS 2011 (or SBS 2008):

The built-in Administrators group does not have the right to log on as batch job

image

Although this it is just a warning, I would advise resolving his issue, which requires a single update to a Group Policy setting. You will see this if you have done a migration to SBS 2011 (or SBS 2008).

Steps:

  • Click on Start –> Administrative Tools –> Group Policy Management
  • Drill down Forest: domain.local–> Domains –> domain.local –> Domain Controllers –> Default Domain Controllers Policy
  • Right click on Default Domain Controllers Policy, then click Edit
    image
  • The Group Policy Management Editor window displays
  • Drill down Computer Configuration –> Policies –> Window Settings –> Security Settings –> User Rights Assignment
    image
  • In the right hand pane, locate the policy: Log on as a batch job
  • Right click on this policy, and then click Properties
  • Click Add User or Group –> Click Add and then add the Administrators group to this policy
    image
  • Verify that the Administrators group has been added to the list
    image

That’s it. No reboot or restart of any services is required. Rerun BPA and that warning message should be gone.

Here is the Microsoft TechNet article describing this issue.