Restricted Groups problem !!!

[Mat]

Hi,

I created a Restricted Groups in GPO to allow Domain
Admins only to be part of the Local Administrator of each
computers. But some of these computers needs to have
their Domain user as Local Administrator too (each
laptop). So, if I go on a laptop to add the user in the
Local Administrator, it works but when the GPO is apply
again (when rebooting or force with secedit) the computer
is back to the GPO configuration.

How can I keep the user in the Local Administrator ???

Thanks

 

[Cary Shultz [A.D. MVP]]

Mat,

There is a fix for that. You are correct in that if you use the 'standard'
Restricted Group Policy that what ever might be a member of the computer's
local Administrators group is kicked out. Once you apply this fix the
'Restricted Group' is imply added as another member of the computer's local
Administrators group ( should there already be any members ).

I can not find the link for it at the moment. Sorry.

Cary

 

[Matjaz Ladava [MVP]]

Cary you are probably referring to this
http://support.microsoft.com/default.aspx?kbid=810076

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)

 

[Mat]

I think the fix is included with SP4 which all the
computers have.

 

[Scott Lowe]

Cary you are probably referring to this
http://support.microsoft.com/default.aspx?kbid=810076

Unless I am reading the article incorrectly, this fix allows you to
specify that "Domain Global Group" is a member of "Specified Local
Group" using the Member Of functionality of the Restricted Groups
policy for the "Domain Global Group". Is this the only way to simply
specify that, in addition to whatever other accounts are currently
members, this global group should also be a member?

In other words, I don't want the Members property of a Restricted
Groups setting to remove accounts that aren't explicitly listed in the
policy. Make sense?

 

[Robert Greene [MSFT]]

Hello,


Restricted groups are just that. You as the administrator can overwrite
any of those groups. You have to define all users that you wish to be in
the Administrators group if you define restricted groups.

Restricted Groups Do not Add to the Replace.

320045 HOW TO: Restrict Group Membership By Using Group Policy in Windows
2000
http://support.microsoft.com/?id=320045

Troubleshooting
---------------
Here is the Excerpt from the Knowledge base article:
- When you restrict group membership by using group policy, you may notice
that you can still add users to a group to which they have been denied
access. Changes to restricted groups remain in effect until group policy is
refreshed. When group policy is refreshed, restricted group memberships are
reapplied, removing any changes that are made to the membership of the
restricted group.
For additional information about how to refresh group policy, click the
article number below
to view the article in the Microsoft Knowledge Base:

=====================================

As a work around, put the machines that need a different set of Restricted
Group Memberships into their own OU. Then create a Group, and add the
users to it and add that group to the Administrators group through the
Restricted Group Membership Group Policy.

Although this does allow anyone in that group to logon to any of those
computers and be administrators... They are the exception and not the
rule. Either that or Make sure that those machines do not apply the
restricted group GPO and define those Local Admin Groups separately.

Best regards:

(e-mail address removed)

This posting is provided "AS IS"
with no warranties, and confers no rights

 

[Cary Shultz [A.D. MVP]]

Robert,

That is correct. Restricted Groups - out of the box - essentially remove
all members of 'group' and add whatever user account or group account
objects you - as Administrator - dictate.

However, there is a hotfix that will change this behavior. If you install
this hotfix to all of the computers in your network then Restricted Groups
will add whatever user account or group account objects you - as
Administrator - dictate to 'group'. That hotfix is available at the
following MSKB Article:

http://support.microsoft.com/?id=810076

This is the same link that Matjaz posted back in April......

HTH,

Cary