Solved

Active Directory: What does 'Restricted Groups' mean?

Posted on 2004-08-24
11
167 Views
Last Modified: 2012-05-05
What does 'Restricted Groups' mean and when would it be used?  I haven't been able to get a full understanding of what 'Restricted Groups' is.

The scenario that I have is I want to add a user to their local admin group.  This user should only be a local admin on their PC and any PC that has a specific application on it.  That application requires that the user be in the local admin group.  I have a couple of users in different OUs that need to be in the local admin group of their PC too - for the same reason.

Currently, I've gone to the individuals PCs and manually added them into the local admin group.  The problem is if they go to another PC with the application on it and they are not in that PC's local admin group, the application will not work.

What's the best approach for handling the above scenario?  I've posted another related question in this forum, but now I'm inquiring in re:'Restricted Groups'.

Thanks.
0
Comment
Question by:halfondj
  • 5
  • 4
  • 2
11 Comments
 
LVL 12

Expert Comment

by:Housenet
ID: 11889046
-Are these PC's members of a Domain of which you have a domain admins credentials?
1. Create a domain group, Add the people you need to do your thing.
2. Remotely manage each of the PC's from one of the DC's and add the group to local administrators group on the PC's. Another option is to use a script. They exist...I dont have one handly at the moment.

Right clicking on 'My Computer' choosing 'Manage'.
then right-click on local computer & choose connect to another machine
->add the app-admins group to the remote machines administrators group.
0
 

Author Comment

by:halfondj
ID: 11892767
To Housenet: I'm not sure what you are explaining.  I wanted to know what 'Restricted Groups' mean and when one should use it.

Thanks.
0
 
LVL 12

Expert Comment

by:Housenet
ID: 11893154
Hello,
No, no.. You asked "What's the best approach for handling the above scenario?"
-I personally think that the definition of a restricted group is evidant by the name itself.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11894234
Restricted Groups in the GPO, allows for you to set exactly what the contents of the group are for the computers under that GPO.

So I may set a policy for Restricted Groups like this
1)Right click on Restrictied Groups and add Administrators
On the right the group will be there now.

2) right click on group new group Administrators and add DOmain Admins and "My group"(a group of your choosing) pay attention to your options..

3) Next time the computer updates its security policy, (if it is in the OU wiht the policy applied), it will remove all entries from the Restricted group and add the ones you put in it.

J


0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11894263
P.S. If you wanted to use it for your issue, Put your users in a group.... put their PC's in a container and apply a policy to it which adds Administrators to the Restricted list and then add the new group and Domain Admins to the group.

J
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 9

Expert Comment

by:jdeclue
ID: 11894289
opps one more thing, don't forget to add the local administrator.
It would be like this.

administrator
domain\Domain admins
domain\My Group

0
 

Author Comment

by:halfondj
ID: 11897527
To jdeclue: I'll need to try your recommendation tomorrow.

Thanks.
0
 

Author Comment

by:halfondj
ID: 11959199
To jdeclue:  I still haven't been able to get this working.

Do I need to set up a new OU with only the local computers I want to apply the policy to, then create a GPO for that OU setting the Restricted Groups as what you described previously?

Where does that users' group go?  In that new OU too?

Thanks.
0
 
LVL 9

Accepted Solution

by:
jdeclue earned 500 total points
ID: 11963479
Ahh, yes there is some confusion... The policy is part of the computer configuration, as a result, it only applies to computer objects. So the GPO is placed in an OU, that contains the computers, and not the users. It does not matter where the User Group is located. Let me know if that makes sense, ok.

J
0
 

Author Comment

by:halfondj
ID: 11964913
To jdeclue:  Thanks so much for the reply.  It's all making a lot of sense now.  I did what you suggested and all seems to be working perfectly.

For all your assistance and great explainations, I'm increasing the points to the max.

Thanks again!
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11965152
You are a gentleman, thank you very much! ;) Take Care and Good Luck.

J
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now