Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 184
  • Last Modified:

Active Directory: What does 'Restricted Groups' mean?

What does 'Restricted Groups' mean and when would it be used?  I haven't been able to get a full understanding of what 'Restricted Groups' is.

The scenario that I have is I want to add a user to their local admin group.  This user should only be a local admin on their PC and any PC that has a specific application on it.  That application requires that the user be in the local admin group.  I have a couple of users in different OUs that need to be in the local admin group of their PC too - for the same reason.

Currently, I've gone to the individuals PCs and manually added them into the local admin group.  The problem is if they go to another PC with the application on it and they are not in that PC's local admin group, the application will not work.

What's the best approach for handling the above scenario?  I've posted another related question in this forum, but now I'm inquiring in re:'Restricted Groups'.

Thanks.
0
halfondj
Asked:
halfondj
  • 5
  • 4
  • 2
1 Solution
 
HousenetCommented:
-Are these PC's members of a Domain of which you have a domain admins credentials?
1. Create a domain group, Add the people you need to do your thing.
2. Remotely manage each of the PC's from one of the DC's and add the group to local administrators group on the PC's. Another option is to use a script. They exist...I dont have one handly at the moment.

Right clicking on 'My Computer' choosing 'Manage'.
then right-click on local computer & choose connect to another machine
->add the app-admins group to the remote machines administrators group.
0
 
halfondjAuthor Commented:
To Housenet: I'm not sure what you are explaining.  I wanted to know what 'Restricted Groups' mean and when one should use it.

Thanks.
0
 
HousenetCommented:
Hello,
No, no.. You asked "What's the best approach for handling the above scenario?"
-I personally think that the definition of a restricted group is evidant by the name itself.
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
jdeclueCommented:
Restricted Groups in the GPO, allows for you to set exactly what the contents of the group are for the computers under that GPO.

So I may set a policy for Restricted Groups like this
1)Right click on Restrictied Groups and add Administrators
On the right the group will be there now.

2) right click on group new group Administrators and add DOmain Admins and "My group"(a group of your choosing) pay attention to your options..

3) Next time the computer updates its security policy, (if it is in the OU wiht the policy applied), it will remove all entries from the Restricted group and add the ones you put in it.

J


0
 
jdeclueCommented:
P.S. If you wanted to use it for your issue, Put your users in a group.... put their PC's in a container and apply a policy to it which adds Administrators to the Restricted list and then add the new group and Domain Admins to the group.

J
0
 
jdeclueCommented:
opps one more thing, don't forget to add the local administrator.
It would be like this.

administrator
domain\Domain admins
domain\My Group

0
 
halfondjAuthor Commented:
To jdeclue: I'll need to try your recommendation tomorrow.

Thanks.
0
 
halfondjAuthor Commented:
To jdeclue:  I still haven't been able to get this working.

Do I need to set up a new OU with only the local computers I want to apply the policy to, then create a GPO for that OU setting the Restricted Groups as what you described previously?

Where does that users' group go?  In that new OU too?

Thanks.
0
 
jdeclueCommented:
Ahh, yes there is some confusion... The policy is part of the computer configuration, as a result, it only applies to computer objects. So the GPO is placed in an OU, that contains the computers, and not the users. It does not matter where the User Group is located. Let me know if that makes sense, ok.

J
0
 
halfondjAuthor Commented:
To jdeclue:  Thanks so much for the reply.  It's all making a lot of sense now.  I did what you suggested and all seems to be working perfectly.

For all your assistance and great explainations, I'm increasing the points to the max.

Thanks again!
0
 
jdeclueCommented:
You are a gentleman, thank you very much! ;) Take Care and Good Luck.

J
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now