restricted group question

[OM]

Hi,

I just setup a restricted group in domain GPO with a domain user being a
local administrater. When I login to a machine with this user account, I
can see the domain user account name appears in the local administrators
group in computer management. However, I am not able to run any programs
that need administrative privilege, i.e. windows update or local gpedit.msc.

This is how I created the restricted group in the default domain policy

computer configuration\windows settings\security settings\restricted groups

add group - type in administrators
add the domain user account under the members of this group
exit gpmc
reboot PC and login

Did I miss anything here?

Thanks

OM

 

[OM]

Hi,

I just setup a restricted group in domain GPO with a domain user being a
local administrater. When I login to a machine with this user account, I
can see the domain user account name appears in the local administrators
group in computer management. However, I am not able to run any programs
that need administrative privilege, i.e. windows update or local
gpedit.msc.

This is how I created the restricted group in the default domain policy

computer configuration\windows settings\security settings\restricted groups

add group - type in administrators
add the domain user account under the members of this group
exit gpmc
reboot PC and login

Did I miss anything here?

Thanks

OM

Just discovered that if I create a new GPO with the same restricted
groups configuration and link it to a specific OU, then it works.

So why the default domain policy doesn't work even though I can see the
restricted groups settings applied to the local computer?

Thanks

OM