Solved

Active Directory: What does 'Restricted Groups' mean?

Posted on 2004-08-24
11
174 Views
Last Modified: 2012-05-05
What does 'Restricted Groups' mean and when would it be used?  I haven't been able to get a full understanding of what 'Restricted Groups' is.

The scenario that I have is I want to add a user to their local admin group.  This user should only be a local admin on their PC and any PC that has a specific application on it.  That application requires that the user be in the local admin group.  I have a couple of users in different OUs that need to be in the local admin group of their PC too - for the same reason.

Currently, I've gone to the individuals PCs and manually added them into the local admin group.  The problem is if they go to another PC with the application on it and they are not in that PC's local admin group, the application will not work.

What's the best approach for handling the above scenario?  I've posted another related question in this forum, but now I'm inquiring in re:'Restricted Groups'.

Thanks.
0
Comment
Question by:halfondj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 12

Expert Comment

by:Housenet
ID: 11889046
-Are these PC's members of a Domain of which you have a domain admins credentials?
1. Create a domain group, Add the people you need to do your thing.
2. Remotely manage each of the PC's from one of the DC's and add the group to local administrators group on the PC's. Another option is to use a script. They exist...I dont have one handly at the moment.

Right clicking on 'My Computer' choosing 'Manage'.
then right-click on local computer & choose connect to another machine
->add the app-admins group to the remote machines administrators group.
0
 

Author Comment

by:halfondj
ID: 11892767
To Housenet: I'm not sure what you are explaining.  I wanted to know what 'Restricted Groups' mean and when one should use it.

Thanks.
0
 
LVL 12

Expert Comment

by:Housenet
ID: 11893154
Hello,
No, no.. You asked "What's the best approach for handling the above scenario?"
-I personally think that the definition of a restricted group is evidant by the name itself.
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 9

Expert Comment

by:jdeclue
ID: 11894234
Restricted Groups in the GPO, allows for you to set exactly what the contents of the group are for the computers under that GPO.

So I may set a policy for Restricted Groups like this
1)Right click on Restrictied Groups and add Administrators
On the right the group will be there now.

2) right click on group new group Administrators and add DOmain Admins and "My group"(a group of your choosing) pay attention to your options..

3) Next time the computer updates its security policy, (if it is in the OU wiht the policy applied), it will remove all entries from the Restricted group and add the ones you put in it.

J


0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11894263
P.S. If you wanted to use it for your issue, Put your users in a group.... put their PC's in a container and apply a policy to it which adds Administrators to the Restricted list and then add the new group and Domain Admins to the group.

J
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11894289
opps one more thing, don't forget to add the local administrator.
It would be like this.

administrator
domain\Domain admins
domain\My Group

0
 

Author Comment

by:halfondj
ID: 11897527
To jdeclue: I'll need to try your recommendation tomorrow.

Thanks.
0
 

Author Comment

by:halfondj
ID: 11959199
To jdeclue:  I still haven't been able to get this working.

Do I need to set up a new OU with only the local computers I want to apply the policy to, then create a GPO for that OU setting the Restricted Groups as what you described previously?

Where does that users' group go?  In that new OU too?

Thanks.
0
 
LVL 9

Accepted Solution

by:
jdeclue earned 500 total points
ID: 11963479
Ahh, yes there is some confusion... The policy is part of the computer configuration, as a result, it only applies to computer objects. So the GPO is placed in an OU, that contains the computers, and not the users. It does not matter where the User Group is located. Let me know if that makes sense, ok.

J
0
 

Author Comment

by:halfondj
ID: 11964913
To jdeclue:  Thanks so much for the reply.  It's all making a lot of sense now.  I did what you suggested and all seems to be working perfectly.

For all your assistance and great explainations, I'm increasing the points to the max.

Thanks again!
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11965152
You are a gentleman, thank you very much! ;) Take Care and Good Luck.

J
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question