We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


server 2003 Restricted groups+laptop local groups

rmfb asked
Medium Priority
Last Modified: 2010-08-05
Hi All

I have a problem with the following:

Laptops have one local user (meber of the local administrators group) other than local administrator

I have

Used restricted groups to add 1 domain user and 1 domain group to the local administrators group on these laptops by

Typing administrators

then adding for example
debugger users

now what happens is that the local user is removed from the local administrators group. Even if i put this user back into the local administrators group it is again removed so reducing the users right over this laptop. This is happening domain wide on 9 laptops that i wish this policy to occur.
I then removed the restricted policy but the same result still exists the local user is constantly removed from the local administrators group.

What action should i take to correct this either manually on each machine or by policy

Your help would be appreciated thanks in advance
Watch Question

Top Expert 2006
Hi rmfb,

this outlines your problem - you need to use the append feature of restricted groups added to 2003


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Top Expert 2005

Create a Global Group in the domain for those laptop users.  Add that Group to the Restricted Group policy so that is is in the Administrators Group.

The users CAN log into their computer off the domain using their domain account - they will be logged in using cached credentials.




I have read the article you suggested jay and find nothing about appending users only adding users or can not find the append feature. Only the "adding" feature which is different to "append". I am sorry i may have mislead you to believe i am familiar with this policy but i am not.Are you suggesting i need the patch from microsoft to alter the behaviour on the local machine if not where do i find the "append" feature as i cant seem to locate it in the restricted policy only add group
and i have done this and have explained the reults in my previous post.

Also having now removed the policy this does not explain how i can stop the local user (member of the local administrators group) constantly being kicked out of the local administrators group.
Again are you saying i need the patch.

Many thanks

Top Expert 2006

there is no append as such - was just my wording

In earlier versions of Windows, if a domain controller processes a Restricted Groups policy in which the Members section is left blank, all members are purged from the group when the policy is applied, regardless of the setting for Member of. For example, if you create a Restricted Groups policy at the domain level for Domain Admins with a blank Members section and if you included local Administrators in Member of, when the policy is applied, all members of the Domain Admins group are removed (including the built-in Administrator account), and an empty Domain Admins group is added to the local administrators group.

The behavior in Windows 2000 SP4, Windows XP with Service Pack 2 (SP2), and Windows Server 2003 has been corrected. On a computer that is running one of these versions of Windows, if you apply a Restricted Groups policy that defines Member of but leaves Members blank, the Members section is ignored, and group membership is not emptied.

If you plan to use the Restricted Groups functionality that is enabled by this update to configure domain controllers, member servers, or workstations, make sure that they are all running Windows 2000 SP4, Windows XP SP2, or Windows Server 2003 so that domain group membership is not modified unintentionally.

For member servers and workstations, the behavior in this scenario remains unchanged.

that straight from the article - it in a word "appends" groups to the local group without removing them

get the hotfix and see how you go :)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.