server 2003 Restricted groups+laptop local groups

Posted on 2006-04-23
Last Modified: 2010-08-05
Hi All

I have a problem with the following:

Laptops have one local user (meber of the local administrators group) other than local administrator

I have

Used restricted groups to add 1 domain user and 1 domain group to the local administrators group on these laptops by

Typing administrators

then adding for example
debugger users

now what happens is that the local user is removed from the local administrators group. Even if i put this user back into the local administrators group it is again removed so reducing the users right over this laptop. This is happening domain wide on 9 laptops that i wish this policy to occur.
I then removed the restricted policy but the same result still exists the local user is constantly removed from the local administrators group.

What action should i take to correct this either manually on each machine or by policy

Your help would be appreciated thanks in advance
Question by:rmfb
    LVL 48

    Accepted Solution

    Hi rmfb,

    this outlines your problem - you need to use the append feature of restricted groups added to 2003

    LVL 51

    Expert Comment

    Create a Global Group in the domain for those laptop users.  Add that Group to the Restricted Group policy so that is is in the Administrators Group.

    The users CAN log into their computer off the domain using their domain account - they will be logged in using cached credentials.


    Author Comment



    I have read the article you suggested jay and find nothing about appending users only adding users or can not find the append feature. Only the "adding" feature which is different to "append". I am sorry i may have mislead you to believe i am familiar with this policy but i am not.Are you suggesting i need the patch from microsoft to alter the behaviour on the local machine if not where do i find the "append" feature as i cant seem to locate it in the restricted policy only add group
    and i have done this and have explained the reults in my previous post.

    Also having now removed the policy this does not explain how i can stop the local user (member of the local administrators group) constantly being kicked out of the local administrators group.
    Again are you saying i need the patch.

    Many thanks

    LVL 48

    Expert Comment

    there is no append as such - was just my wording

    In earlier versions of Windows, if a domain controller processes a Restricted Groups policy in which the Members section is left blank, all members are purged from the group when the policy is applied, regardless of the setting for Member of. For example, if you create a Restricted Groups policy at the domain level for Domain Admins with a blank Members section and if you included local Administrators in Member of, when the policy is applied, all members of the Domain Admins group are removed (including the built-in Administrator account), and an empty Domain Admins group is added to the local administrators group.

    The behavior in Windows 2000 SP4, Windows XP with Service Pack 2 (SP2), and Windows Server 2003 has been corrected. On a computer that is running one of these versions of Windows, if you apply a Restricted Groups policy that defines Member of but leaves Members blank, the Members section is ignored, and group membership is not emptied.

    If you plan to use the Restricted Groups functionality that is enabled by this update to configure domain controllers, member servers, or workstations, make sure that they are all running Windows 2000 SP4, Windows XP SP2, or Windows Server 2003 so that domain group membership is not modified unintentionally.

    For member servers and workstations, the behavior in this scenario remains unchanged.

    that straight from the article - it in a word "appends" groups to the local group without removing them

    get the hotfix and see how you go :)

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
    Learn about cloud computing and its benefits for small business owners.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now