Restricted Groups

S

Scott Lowe

I'm looking for a way to add, on an OU by OU basis, a specific global
group to the local Administrators group on workstations and member
servers whose computer accounts are found in that OU. If I use the
Restricted Groups policy setting from Group Policy applied to that
particular OU, then not only is the specific global group added to the
local Administrators group, but all other accounts that were already
members of the local Administrators are removed.

Any suggestions as to a workaround?
 
P

ptwilliams

Yes, that is the correct behaviour. That is by design - that's why it's
called restricted groups. You are forcing only certain members.

I don't know of a work around, but then again I've not looked. I've only
used this once or twice, and I've wanted to only allow certain groups to be
members of certain groups ;-)


--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


I'm looking for a way to add, on an OU by OU basis, a specific global
group to the local Administrators group on workstations and member
servers whose computer accounts are found in that OU. If I use the
Restricted Groups policy setting from Group Policy applied to that
particular OU, then not only is the specific global group added to the
local Administrators group, but all other accounts that were already
members of the local Administrators are removed.

Any suggestions as to a workaround?
 
S

Scott Lowe

Yes, that is the correct behaviour. That is by design - that's why it's
called restricted groups. You are forcing only certain members.

I don't know of a work around, but then again I've not looked. I've only
used this once or twice, and I've wanted to only allow certain groups to be
members of certain groups ;-)
Click to expand...

Would taking advantage of the hotfix from Microsoft that allows global
groups to be placed into local groups using the "Member Of"
functionality of Restricted Groups (instead of the other way around) be
the only fix? Surely there has to be a way to specify that a specific
list of groups should be included as members without also removing
everyone else.

See the URL for more information on the hotfix to which I am referring:

http://support.microsoft.com/default.aspx?kbid=810076
 
C

Cary Shultz [A.D. MVP]

Scott,

The behavior that you were experiencing was the expected behavior. Whether
that was a 'feature' or a bug I do not know. I understand and agree with
this way.

However, it would seem that you have correctly found the 'fix'. You have to
apply this fix to all of the computer accounts as well as the DCs. Then,
which ever groups and or user account objects were a member of the local
Administrators group will remain.

mfg,

Cary
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problem with restricted groups 3
Restricted Group 1
POLICY REFRESH 1
AD Problem 1
Local admin privileges gone haywire 1
Apply group policy's to groups not OU's 6
problem with restricted users 1
AD for Multi tenancy 0

Top