Restricted Groups

[Mike]

I noticed a GPO setting called Restricted Groups located
in Computer Configuration/Windows Settings/Security
Settings. It will allow you to define the membership of
a group on a local computer (i.e. Administrators). When
defining the membership, it is absolute. When GPO is
refreshed, any modifications to the membership are erased
(additions or subtractions). My issue is that I also
need to allow the user to have administrator rights to
the local machine. (I know... This is horrible, but a
battle I will not win!)

Anyway, the question relates to the other configuration
in the setting. It will force the membership of a group
to another group. This would allow me to force the
membership of a "technicians group" to the local Admins
group and still set the user to be a member. The problem
is since it is a GPO; it only applies to the computer in
the OU. Well the groups on the computer are local and
cannot be nested with other groups. Has anyone found a
purpose for this second configuration? Additionally, any
insight on how to solve the problem without manually
configuring the desktops would be most helpful.

Thanks,

Mike

 

[Jerold Schulman]

I noticed a GPO setting called Restricted Groups located
in Computer Configuration/Windows Settings/Security
Settings. It will allow you to define the membership of
a group on a local computer (i.e. Administrators). When
defining the membership, it is absolute. When GPO is
refreshed, any modifications to the membership are erased
(additions or subtractions). My issue is that I also
need to allow the user to have administrator rights to
the local machine. (I know... This is horrible, but a
battle I will not win!)

Anyway, the question relates to the other configuration
in the setting. It will force the membership of a group
to another group. This would allow me to force the
membership of a "technicians group" to the local Admins
group and still set the user to be a member. The problem
is since it is a GPO; it only applies to the computer in
the OU. Well the groups on the computer are local and
cannot be nested with other groups. Has anyone found a
purpose for this second configuration? Additionally, any
insight on how to solve the problem without manually
configuring the desktops would be most helpful.

Thanks,

Mike

See tip 5319 in the 'Tips & Tricks' at http://www.jsiinc.com

Alternately, use psexec (tip 4141) to run

net localgroup Administrators "Domain Users" /add

on the tech groups local workstations


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

 

[DBenway]

Some notes I took...
Restricted Groups node in GPO: Groups and users not
specified in Restricted Groups are removed from the
group specified. In addition, the reverse membership
configuration option ensures that each restricted group is
a member of only those groups specified. For these
reasons, using Restricted Groups for security should
be limited to primarily configuring membership of local
groups on workstation or member servers. The Administrator
account in the Administrators group will not be removed by
Restricted Group GPO settings.
For more info goto KB articles Q228496, Q320065

 

[Guest]

If you need to add domain groups, say the Helpdesk or <domain>\Domain Admins, to the local Administrators group without overwriting the specific users already in that group, use Startup Scripts in the GPO that governs the workstations' OU. It took my 6 months to get this information from Microsoft

The script you apply to the OU should use the command NET LOCALGROUP to add the domain account to the local Administrators group. MSFT engineering said to use the LOCAL.EXE utility, but it wouldn't work in my environment

This setup has worked like a charm and had zero negative repercussions. I will be adding the same functionality to my server OUs RSN to allow remote admins to manage their own servers

CHooper