server 2003 Restricted groups+laptop local groups

Hi All

I have a problem with the following:

Laptops have one local user (meber of the local administrators group) other than local administrator

I have

Used restricted groups to add 1 domain user and 1 domain group to the local administrators group on these laptops by

Typing administrators

then adding for example
debugger users

now what happens is that the local user is removed from the local administrators group. Even if i put this user back into the local administrators group it is again removed so reducing the users right over this laptop. This is happening domain wide on 9 laptops that i wish this policy to occur.
I then removed the restricted policy but the same result still exists the local user is constantly removed from the local administrators group.

What action should i take to correct this either manually on each machine or by policy

Your help would be appreciated thanks in advance
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi rmfb,

this outlines your problem - you need to use the append feature of restricted groups added to 2003


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Create a Global Group in the domain for those laptop users.  Add that Group to the Restricted Group policy so that is is in the Administrators Group.

The users CAN log into their computer off the domain using their domain account - they will be logged in using cached credentials.

rmfbAuthor Commented:


I have read the article you suggested jay and find nothing about appending users only adding users or can not find the append feature. Only the "adding" feature which is different to "append". I am sorry i may have mislead you to believe i am familiar with this policy but i am not.Are you suggesting i need the patch from microsoft to alter the behaviour on the local machine if not where do i find the "append" feature as i cant seem to locate it in the restricted policy only add group
and i have done this and have explained the reults in my previous post.

Also having now removed the policy this does not explain how i can stop the local user (member of the local administrators group) constantly being kicked out of the local administrators group.
Again are you saying i need the patch.

Many thanks

there is no append as such - was just my wording

In earlier versions of Windows, if a domain controller processes a Restricted Groups policy in which the Members section is left blank, all members are purged from the group when the policy is applied, regardless of the setting for Member of. For example, if you create a Restricted Groups policy at the domain level for Domain Admins with a blank Members section and if you included local Administrators in Member of, when the policy is applied, all members of the Domain Admins group are removed (including the built-in Administrator account), and an empty Domain Admins group is added to the local administrators group.

The behavior in Windows 2000 SP4, Windows XP with Service Pack 2 (SP2), and Windows Server 2003 has been corrected. On a computer that is running one of these versions of Windows, if you apply a Restricted Groups policy that defines Member of but leaves Members blank, the Members section is ignored, and group membership is not emptied.

If you plan to use the Restricted Groups functionality that is enabled by this update to configure domain controllers, member servers, or workstations, make sure that they are all running Windows 2000 SP4, Windows XP SP2, or Windows Server 2003 so that domain group membership is not modified unintentionally.

For member servers and workstations, the behavior in this scenario remains unchanged.

that straight from the article - it in a word "appends" groups to the local group without removing them

get the hotfix and see how you go :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.