Link to home
Create AccountLog in
Avatar of rmfb
rmfb

asked on

server 2003 Restricted groups+laptop local groups

Hi All

I have a problem with the following:

Laptops have one local user (meber of the local administrators group) other than local administrator

I have

Used restricted groups to add 1 domain user and 1 domain group to the local administrators group on these laptops by

Typing administrators

then adding for example
administrators
domain/technician
domain/teachers
debugger users

now what happens is that the local user is removed from the local administrators group. Even if i put this user back into the local administrators group it is again removed so reducing the users right over this laptop. This is happening domain wide on 9 laptops that i wish this policy to occur.
I then removed the restricted policy but the same result still exists the local user is constantly removed from the local administrators group.

What action should i take to correct this either manually on each machine or by policy

Your help would be appreciated thanks in advance
ASKER CERTIFIED SOLUTION
Avatar of Jay_Jay70
Jay_Jay70
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Netman66
Create a Global Group in the domain for those laptop users.  Add that Group to the Restricted Group policy so that is is in the Administrators Group.

The users CAN log into their computer off the domain using their domain account - they will be logged in using cached credentials.

Avatar of rmfb
rmfb

ASKER


Hi

I have read the article you suggested jay and find nothing about appending users only adding users or can not find the append feature. Only the "adding" feature which is different to "append". I am sorry i may have mislead you to believe i am familiar with this policy but i am not.Are you suggesting i need the patch from microsoft to alter the behaviour on the local machine if not where do i find the "append" feature as i cant seem to locate it in the restricted policy only add group
and i have done this and have explained the reults in my previous post.

Also having now removed the policy this does not explain how i can stop the local user (member of the local administrators group) constantly being kicked out of the local administrators group.
Again are you saying i need the patch.

Many thanks
Rmfb




there is no append as such - was just my wording

________________
In earlier versions of Windows, if a domain controller processes a Restricted Groups policy in which the Members section is left blank, all members are purged from the group when the policy is applied, regardless of the setting for Member of. For example, if you create a Restricted Groups policy at the domain level for Domain Admins with a blank Members section and if you included local Administrators in Member of, when the policy is applied, all members of the Domain Admins group are removed (including the built-in Administrator account), and an empty Domain Admins group is added to the local administrators group.

The behavior in Windows 2000 SP4, Windows XP with Service Pack 2 (SP2), and Windows Server 2003 has been corrected. On a computer that is running one of these versions of Windows, if you apply a Restricted Groups policy that defines Member of but leaves Members blank, the Members section is ignored, and group membership is not emptied.

If you plan to use the Restricted Groups functionality that is enabled by this update to configure domain controllers, member servers, or workstations, make sure that they are all running Windows 2000 SP4, Windows XP SP2, or Windows Server 2003 so that domain group membership is not modified unintentionally.

For member servers and workstations, the behavior in this scenario remains unchanged.
____________________________________________

that straight from the article - it in a word "appends" groups to the local group without removing them

get the hotfix and see how you go :)