mvvinod
asked on
Restricted Groups not working !!!! Also causing problems !!!
Hi,
I created a restricted group today for administrators. I added administrator, domain admin and another group called desktop admins that exist in active directory.
I see that no computers have the policy in effect yet. Its more than 8 hours since i configured the policy....
Also the first time i tried this, i was editing an exisitng gpo (BIG BIG MISTAKE) and i think because of that some machines have lost domain admins from the local admin group. I cant exactly figure out how that happened but i can see that the policy is not taking effect coz my other computers DO NOT show desktop admins group in local admin...
Anybody has any ideas ???
I have already done gpupdate /force, restarted the machine and still no luck. I verifed and verified again that gpo is assigned to ou comtaining computers.
Thanks!!
Vinod.
I created a restricted group today for administrators. I added administrator, domain admin and another group called desktop admins that exist in active directory.
I see that no computers have the policy in effect yet. Its more than 8 hours since i configured the policy....
Also the first time i tried this, i was editing an exisitng gpo (BIG BIG MISTAKE) and i think because of that some machines have lost domain admins from the local admin group. I cant exactly figure out how that happened but i can see that the policy is not taking effect coz my other computers DO NOT show desktop admins group in local admin...
Anybody has any ideas ???
I have already done gpupdate /force, restarted the machine and still no luck. I verifed and verified again that gpo is assigned to ou comtaining computers.
Thanks!!
Vinod.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you can use the "member of" option rather than members (i think - may have it mixed up again) and it won't erase your groups
I must apologize. I just tested the theory above. It came up in a post awhile ago. Upon testing it is not as I described but they were referring to making the restricted group "a member of" (lower option) rather than adding members to.
You just got the jump on me, sorry i didn't refresh. I have been off testing.
I wasn't implying you had posted it before James, it was someone else, I was wondering if you knew the answer. I am the one who was confused.
I wasn't implying you had posted it before James, it was someone else, I was wondering if you knew the answer. I am the one who was confused.
tis cool my friend, netman helped me out with this as the link i posted had me confused for a bit as well :)
ASKER
I DO want to wipe out any users/groups that may exist in local administrator. That is my point of configuring this...
I really had 2 problems....1 got 1 of them fixed by removing administrator from "Administrators" restricted group. I dont know why it worked. but it worked. I was under the impression that i needed to define the member of the "administrators" group completely. I also found out that even if i dont add administrator(builtin), the restricted groups do not remove them.....
So i would like to know why i cannot add administrator to "administrators" group and why is is erroring out due to the fact that i added...
My next problem would be on workstations where "Domain admin" completely disappeared from local admin group. Those workstations are not physically accessable by me. I just wish that after refresh period, domain admins would come on as forced by restricted groups...
I will post you tomorrow about the result of those machines.
Vinod.
I really had 2 problems....1 got 1 of them fixed by removing administrator from "Administrators" restricted group. I dont know why it worked. but it worked. I was under the impression that i needed to define the member of the "administrators" group completely. I also found out that even if i dont add administrator(builtin), the restricted groups do not remove them.....
So i would like to know why i cannot add administrator to "administrators" group and why is is erroring out due to the fact that i added...
My next problem would be on workstations where "Domain admin" completely disappeared from local admin group. Those workstations are not physically accessable by me. I just wish that after refresh period, domain admins would come on as forced by restricted groups...
I will post you tomorrow about the result of those machines.
Vinod.
It must be a conflict, to try and add Administrator, then again, when adding the administrator within Group Policy, you would be trying to add the server's Administrator, not the local Administrator.
I also don't know why you would loose Domain Admins, I thought they remained by default. You can however add them to the restricted group. That does work.
Note: just remember to be careful with restricted groups. If you accidentally apply it to the wrong OU, one containing your DC's, you can lock yourself out.
This is from an earlier post of mine, but it may come in handy working on your project.:
I wrote a little script awhile ago to run a batch file from the server to quickly add users or groups to the Local Admin group of any computer in the Domain. It may be of some help to you:
Copy from the Windows 2000 Resource Kit or from http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/
the file cusrmgr.exe and put it in a folder of your choice. I recommend doing this from the domain controller but works from any workstation in the domain so long as you are logged in as a domain admin.
In the same folder create a batch file named Add.bat and insert the text below;
==========================
:: Batch file to add username %1 to local Administrators group on Computer %2
Echo off
CLS
If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
Echo Add %1 to %2 >>UserAdd.log
cusrmgr.exe -m \\%2 -alg "Administrators" -u %1 >> UserAdd.log
==========================
Now simply run by going to a command prompt. Change to the directory where you put your files and enter:
Add username computername
You can substitute groupname for username. If there is a space such as Domain Users enclose in quotes: "Domain Users"
I thought the username had to be in username@domain.local but the basic name seems to work fine, if you have problems use the long form. No "\\" are necessary for the computername.
It will also create a log file named UserAdd.log where you can check for success or errors.
I also don't know why you would loose Domain Admins, I thought they remained by default. You can however add them to the restricted group. That does work.
Note: just remember to be careful with restricted groups. If you accidentally apply it to the wrong OU, one containing your DC's, you can lock yourself out.
This is from an earlier post of mine, but it may come in handy working on your project.:
I wrote a little script awhile ago to run a batch file from the server to quickly add users or groups to the Local Admin group of any computer in the Domain. It may be of some help to you:
Copy from the Windows 2000 Resource Kit or from http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/
the file cusrmgr.exe and put it in a folder of your choice. I recommend doing this from the domain controller but works from any workstation in the domain so long as you are logged in as a domain admin.
In the same folder create a batch file named Add.bat and insert the text below;
==========================
:: Batch file to add username %1 to local Administrators group on Computer %2
Echo off
CLS
If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
Echo Add %1 to %2 >>UserAdd.log
cusrmgr.exe -m \\%2 -alg "Administrators" -u %1 >> UserAdd.log
==========================
Now simply run by going to a command prompt. Change to the directory where you put your files and enter:
Add username computername
You can substitute groupname for username. If there is a space such as Domain Users enclose in quotes: "Domain Users"
I thought the username had to be in username@domain.local but the basic name seems to work fine, if you have problems use the long form. No "\\" are necessary for the computername.
It will also create a log file named UserAdd.log where you can check for success or errors.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
RSop shows nothing out of ordinary...
Domain admin and deskop admin group still hasnt shown up on the other computers...
I was not trying to add server's admin coz i entered it as administrators manually and did not use check name feature.
I know it is possible to remove domain admin if you wanted to and the machine lets you do it. i cannot add domain admin coz i dont have access to doing that....i will try that script later today and let you know..i suspect the script will work coz running the script as domain admins still does not give permission on the client machine to make those changes..
And we are only talking about these problems on the client. There is no problem with the server. I did not apply this to ou containing servers.
Vinod.
Domain admin and deskop admin group still hasnt shown up on the other computers...
I was not trying to add server's admin coz i entered it as administrators manually and did not use check name feature.
I know it is possible to remove domain admin if you wanted to and the machine lets you do it. i cannot add domain admin coz i dont have access to doing that....i will try that script later today and let you know..i suspect the script will work coz running the script as domain admins still does not give permission on the client machine to make those changes..
And we are only talking about these problems on the client. There is no problem with the server. I did not apply this to ou containing servers.
Vinod.
ASKER
ANd i'm not even getting the error i talked about before. When i use mmc to view event logs of those machines, it shows security policy successfully applied.
This machine is in different OU than the machines above that i fixed by removing administrators.
Vinod.
This machine is in different OU than the machines above that i fixed by removing administrators.
Vinod.
ASKER
Found the issue. Reran RSOP on correct machine in the OU and i found a restricted group that i created first on existing GPO which had no members. Deleted that group...
I will now wait 3 hours for my correct policy to get applied...Will keep you guys posted...
Vinod.
I will now wait 3 hours for my correct policy to get applied...Will keep you guys posted...
Vinod.
>>"I was not trying to add server's admin coz i entered it as administrators manually and did not use check name feature."
I think it will only allow you to add domain accounts/groups
Do you have any of the accounts added to the local machines other than the local admin? You will have to be logged on as one of those accounts in order to add any user/group now, even the domain admin account because the domain admin no longer has rights over that machine. You can do remotely if you have a domain account with the local admin rights. If not you will have to log on as local admin to add even the domain admins.
>>"And we are only talking about these problems on the client. There is no problem with the server. I did not apply this to ou containing servers."
No I didn't think so it was just a "disclaimer" comment"
You can force policy application if you want to hurry things along on your test workstation with gpupdate /force on XP
or using secedit on 2000.
I think it will only allow you to add domain accounts/groups
Do you have any of the accounts added to the local machines other than the local admin? You will have to be logged on as one of those accounts in order to add any user/group now, even the domain admin account because the domain admin no longer has rights over that machine. You can do remotely if you have a domain account with the local admin rights. If not you will have to log on as local admin to add even the domain admins.
>>"And we are only talking about these problems on the client. There is no problem with the server. I did not apply this to ou containing servers."
No I didn't think so it was just a "disclaimer" comment"
You can force policy application if you want to hurry things along on your test workstation with gpupdate /force on XP
or using secedit on 2000.
so what you wanna say rightnow.. The policies are right but the groups are not adding ?
ASKER
I'm not sure about restricted group allowing only domain accounts to be added. I'm going to check on that...
But i think gpo should add domain admins coz gpo is not applied in the context of domain admin's permission...even if domain admin is not authoritative over the machine, group policy should get processed...
i dont have any other accounts and i dont even remember admin password for most computer accounts...and i dont have physical access to the machines...
So i just have to wait and see if domain admin gets added back....
I cannot login to workstation to do gpupdate....so i will just wait and see..
Vinod.
But i think gpo should add domain admins coz gpo is not applied in the context of domain admin's permission...even if domain admin is not authoritative over the machine, group policy should get processed...
i dont have any other accounts and i dont even remember admin password for most computer accounts...and i dont have physical access to the machines...
So i just have to wait and see if domain admin gets added back....
I cannot login to workstation to do gpupdate....so i will just wait and see..
Vinod.
OK. So what i get from he is that whatever you have defined as "members" in the restricted group policy shows a red x in RSOP i guess. Now there should be reaosn for the same in file %windir%\security\logs\win
Can you check the area in the log file which is trying add the group and erroring out. Please paste it here.
Can you check the area in the log file which is trying add the group and erroring out. Please paste it here.
>>"But i think gpo should add domain admins coz gpo is not applied in the context of domain admin's permission...even if domain admin is not authoritative over the machine, group policy should get processed..."
Good point !
Curious to see how it goes.
I have used Restricted groups a fair amount. I have always heard how tricky they can be but haven't had any problems, however i have not varied from the norm much. This may prove t be a good learning experience for all. <G>
Good point !
Curious to see how it goes.
I have used Restricted groups a fair amount. I have always heard how tricky they can be but haven't had any problems, however i have not varied from the norm much. This may prove t be a good learning experience for all. <G>
ASKER
ansh,
I was trying to say that i had 2 gpo's with same restricted groups configured. One which had blank members and other the correct group as members. So i guess it caused a conflict. So now i made sure there was only 1 gpo that defines restricted groups and i'm waiting for gpo to be applied by its own.
I will post the results...
Vinod.
I was trying to say that i had 2 gpo's with same restricted groups configured. One which had blank members and other the correct group as members. So i guess it caused a conflict. So now i made sure there was only 1 gpo that defines restricted groups and i'm waiting for gpo to be applied by its own.
I will post the results...
Vinod.
If you are using Restricted Groups to replace and enforce the local Administrator group membership you MUST include all the default members of this group to your policy - otherwise they are removed and enforced.
Removing Administrator is a bad idea. You're going to break a ton of things locally.
You're going to have to get this working properly before you remove the policy - otherwise, you are going to have a lot of issues.
To use the "replace and enforce" method (using Administrators group as example):
Right click Restricted Groups and select Add Group.
Manually type in "Administrators" then click OK. (exclude the quotes)
On the next applet, click the Add button beside "Members of this group"
Type in "Administrator" manually then OK.
Click Add again then Browse to the Domain Admins group, then OK.
Click Add again then Browse to your Domain group, then OK.
Click OK when you're done.
Always use the Browse button to add domain groups or users. MANUALLY type in any LOCAL user that must be added.
Now....
To use the "add member" method that DOES NOT remove or enforce the membership of the group you are adding to:
Right Click Restricted Groups and select Add Group.
Browse to your domain group (the one you want to Add to Administrators), click OK.
On the next screen click Add beside the "This group is a member of"
Manually type "Administrators" then OK. (exclude the quotes)
Click OK again to close.
Your domain group will now be added to the local Administrators group on every PC affected by the policy. It's membership with the local Adminstrators group is enforced, HOWEVER, no other exisiting member of the local Administrators group will be removed or enforced.
This method simply adds the group selected and nothing else.
Hope this demystifies things a little.
NM
Removing Administrator is a bad idea. You're going to break a ton of things locally.
You're going to have to get this working properly before you remove the policy - otherwise, you are going to have a lot of issues.
To use the "replace and enforce" method (using Administrators group as example):
Right click Restricted Groups and select Add Group.
Manually type in "Administrators" then click OK. (exclude the quotes)
On the next applet, click the Add button beside "Members of this group"
Type in "Administrator" manually then OK.
Click Add again then Browse to the Domain Admins group, then OK.
Click Add again then Browse to your Domain group, then OK.
Click OK when you're done.
Always use the Browse button to add domain groups or users. MANUALLY type in any LOCAL user that must be added.
Now....
To use the "add member" method that DOES NOT remove or enforce the membership of the group you are adding to:
Right Click Restricted Groups and select Add Group.
Browse to your domain group (the one you want to Add to Administrators), click OK.
On the next screen click Add beside the "This group is a member of"
Manually type "Administrators" then OK. (exclude the quotes)
Click OK again to close.
Your domain group will now be added to the local Administrators group on every PC affected by the policy. It's membership with the local Adminstrators group is enforced, HOWEVER, no other exisiting member of the local Administrators group will be removed or enforced.
This method simply adds the group selected and nothing else.
Hope this demystifies things a little.
NM
Nicely phrased Netman66. Thank you.
If you use the second option add member, i.e. ad to "this group is a member of" option, doesn't ignore the first option, add to "members of this group", or can you use both simultaneously? Perhaps that was the original 2000 GPO, pre 2000-SP2.
--Rob
If you use the second option add member, i.e. ad to "this group is a member of" option, doesn't ignore the first option, add to "members of this group", or can you use both simultaneously? Perhaps that was the original 2000 GPO, pre 2000-SP2.
--Rob
You should be able to use them both.
The top option removes current membership and replaces it with your list - then enforces it. *Just confirmed - yes*
The second option simply adds the group you are adding to Restricted Groups to whatever you select without removing current membership of the selected group. The only thing enforced for this section is the membership of the Restricted Group to other groups in this pane.
The top option removes current membership and replaces it with your list - then enforces it. *Just confirmed - yes*
The second option simply adds the group you are adding to Restricted Groups to whatever you select without removing current membership of the selected group. The only thing enforced for this section is the membership of the Restricted Group to other groups in this pane.
Oops...
*Just confirmed - yes* should have been after: You should be able to use them both.
Sorry!
NM
*Just confirmed - yes* should have been after: You should be able to use them both.
Sorry!
NM
Thanks Netman66.
I just confirmed, that I was confused yet again, the issue was apparently a problem with adding Domain Groups to local Groups using the "member of.." option with pre Win2K SP4. Since repaired.
--Rob
I just confirmed, that I was confused yet again, the issue was apparently a problem with adding Domain Groups to local Groups using the "member of.." option with pre Win2K SP4. Since repaired.
--Rob
ASKER
Netman66,
Appreciate your time and effort. Here is my story and my version...
I did exactly what you had described in your steps and that is when i got the error 1388 i was talking about before... then i removed administrator from the group and left all domain group and it immediately worked...
After doing some research i found out that "Administrators" is special group. If you are using restricted group to control membership of administrators, no matter who is or not in the group, the restricted group will never remove local admin from that group. You can try it if you want....Thats what exactly happened to me in another OU. It still had local admin and no one else. It even removed domain admin.. Then i applied the correct policy and i saw domain admin and desktop admin group pop up....
So eventually all my problems are fixed and i appreciate all your help..
Vinod.
Appreciate your time and effort. Here is my story and my version...
I did exactly what you had described in your steps and that is when i got the error 1388 i was talking about before... then i removed administrator from the group and left all domain group and it immediately worked...
After doing some research i found out that "Administrators" is special group. If you are using restricted group to control membership of administrators, no matter who is or not in the group, the restricted group will never remove local admin from that group. You can try it if you want....Thats what exactly happened to me in another OU. It still had local admin and no one else. It even removed domain admin.. Then i applied the correct policy and i saw domain admin and desktop admin group pop up....
So eventually all my problems are fixed and i appreciate all your help..
Vinod.
Thanks Vinod,
--Rob
--Rob
ASKER
Error 1388: A new member could not be added to a local group because the member has the wrong account type
I removed administrators from the member of restricted group and left only domain admin and desktop admin and refreshed the policy and it worked immediately and i saw the membership..
I still dont know what happened to the machine that tool domain admin out completely. I'm going to work on it...
I will keep you posted..
But doesnt all documents for restricted groups says to add builtin administrator to the restricted groups "Administrators" ????? Did i miss something ??
Vinod.