server 2003 Restricted groups+laptop local groups

Posted on 2006-04-23
Medium Priority
Last Modified: 2010-08-05
Hi All

I have a problem with the following:

Laptops have one local user (meber of the local administrators group) other than local administrator

I have

Used restricted groups to add 1 domain user and 1 domain group to the local administrators group on these laptops by

Typing administrators

then adding for example
debugger users

now what happens is that the local user is removed from the local administrators group. Even if i put this user back into the local administrators group it is again removed so reducing the users right over this laptop. This is happening domain wide on 9 laptops that i wish this policy to occur.
I then removed the restricted policy but the same result still exists the local user is constantly removed from the local administrators group.

What action should i take to correct this either manually on each machine or by policy

Your help would be appreciated thanks in advance
Question by:rmfb
  • 2
LVL 48

Accepted Solution

Jay_Jay70 earned 1500 total points
ID: 16518843
Hi rmfb,

this outlines your problem - you need to use the append feature of restricted groups added to 2003

LVL 51

Expert Comment

ID: 16519465
Create a Global Group in the domain for those laptop users.  Add that Group to the Restricted Group policy so that is is in the Administrators Group.

The users CAN log into their computer off the domain using their domain account - they will be logged in using cached credentials.


Author Comment

ID: 16523166


I have read the article you suggested jay and find nothing about appending users only adding users or can not find the append feature. Only the "adding" feature which is different to "append". I am sorry i may have mislead you to believe i am familiar with this policy but i am not.Are you suggesting i need the patch from microsoft to alter the behaviour on the local machine if not where do i find the "append" feature as i cant seem to locate it in the restricted policy only add group
and i have done this and have explained the reults in my previous post.

Also having now removed the policy this does not explain how i can stop the local user (member of the local administrators group) constantly being kicked out of the local administrators group.
Again are you saying i need the patch.

Many thanks

LVL 48

Expert Comment

ID: 16523325
there is no append as such - was just my wording

In earlier versions of Windows, if a domain controller processes a Restricted Groups policy in which the Members section is left blank, all members are purged from the group when the policy is applied, regardless of the setting for Member of. For example, if you create a Restricted Groups policy at the domain level for Domain Admins with a blank Members section and if you included local Administrators in Member of, when the policy is applied, all members of the Domain Admins group are removed (including the built-in Administrator account), and an empty Domain Admins group is added to the local administrators group.

The behavior in Windows 2000 SP4, Windows XP with Service Pack 2 (SP2), and Windows Server 2003 has been corrected. On a computer that is running one of these versions of Windows, if you apply a Restricted Groups policy that defines Member of but leaves Members blank, the Members section is ignored, and group membership is not emptied.

If you plan to use the Restricted Groups functionality that is enabled by this update to configure domain controllers, member servers, or workstations, make sure that they are all running Windows 2000 SP4, Windows XP SP2, or Windows Server 2003 so that domain group membership is not modified unintentionally.

For member servers and workstations, the behavior in this scenario remains unchanged.

that straight from the article - it in a word "appends" groups to the local group without removing them

get the hotfix and see how you go :)

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question