Solved

Restricted Groups not working !!!! Also causing problems !!!

Posted on 2006-06-15
26
2,094 Views
Last Modified: 2012-05-05
Hi,  
  I created a restricted group today for administrators. I added administrator, domain admin and another group called desktop admins that exist in active directory.

I see that no computers have the policy in effect yet. Its more than 8 hours since i configured the policy....

Also the first time i tried this, i was editing an exisitng gpo (BIG BIG MISTAKE) and i think because of that some machines have lost domain admins from the local admin group. I cant exactly figure out how that happened but i can see that the policy is not taking effect coz my other computers DO NOT show desktop admins group in local admin...

Anybody has any ideas ???

I have already done gpupdate /force, restarted the machine and still no luck. I verifed and verified again that gpo is assigned to ou comtaining computers.

Thanks!!

Vinod.
0
Comment
Question by:mvvinod
  • 9
  • 8
  • 3
  • +2
26 Comments
 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 150 total points
ID: 16917059
restricted groups can be tricky......

first run a gpresult on the clients and make sure your policy is in effect. Also, put this in a separeate policy, do not leave this sitting on your default one...bad bad idea

read this also
http://support.microsoft.com/?id=810076
0
 
LVL 8

Author Comment

by:mvvinod
ID: 16917175
I found out what the problem was. I enabled verbose logging and found out this error on client log

Error 1388: A new member could not be added to a local group because the member has the wrong account type

I removed administrators from the member of restricted group and left only domain admin and desktop admin and refreshed the policy and it worked immediately and i saw the membership..

I still dont know what happened to the machine that tool domain admin out completely. I'm going to work on it...

I will keep you posted..

But doesnt all documents for restricted groups says to add builtin administrator to the restricted groups "Administrators" ????? Did i miss something ??

Vinod.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 150 total points
ID: 16917239
Local workstations will have the local admin account and the Domain admin account by default.
Your problem may have been adding users and a group. I haven't tried adding a group but it handles it them differently. I would recommend adding just 1 group (to which you can add whatever users you want) or add individual users to the restricted group.
Supposedly if you add a group rather than users, you can add individual users at the workstation level without them being overwritten every tome group policy is refreshed. Adding single users to restricted groups will wipe out individual users (except lcl admin and dom admin) every time the policy is refreshed.
Perhaps Jay_Jay70 has tested that.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16917379
you can use the "member of" option rather than members (i think - may have it mixed up again) and it won't erase your groups
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16917383
I must apologize. I just tested the theory above. It came up in a post awhile ago. Upon testing it is not as I described but they were referring to making the restricted group  "a member of" (lower option) rather than adding members to.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16917395
You just got the jump on me, sorry i didn't refresh. I have been off testing.
I wasn't implying you had posted it before James, it was someone else, I was wondering if you knew the answer. I am the one who was confused.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16917406
tis cool my friend, netman helped me out with this as the link i posted had me confused for a bit as well :)
0
 
LVL 8

Author Comment

by:mvvinod
ID: 16917576
I DO want to wipe out any users/groups that may exist in local administrator. That is my point of configuring this...
I really had 2 problems....1 got 1 of them fixed by removing administrator from "Administrators" restricted group. I dont know why it worked. but it worked. I was under the impression that i needed to define the member of the "administrators" group completely. I also found out that even if i dont add administrator(builtin), the restricted groups do not remove them.....

So i would like to know why i cannot add administrator to "administrators" group and why is is erroring out due to the fact that i added...

My next problem would be on workstations where "Domain admin" completely disappeared from local admin group. Those workstations are not physically accessable by me. I just wish that after refresh period, domain admins would come on as forced by restricted groups...

I will post you tomorrow about the result of those machines.

Vinod.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16919292
It must be a conflict, to try and add Administrator, then again, when adding the administrator within Group Policy, you would be trying to add the server's Administrator, not the local Administrator.
I also don't know why you would loose Domain Admins, I thought they remained by default. You can however add them to the restricted group. That does work.
Note: just remember to be careful with restricted groups. If you accidentally apply it to the wrong OU, one containing your DC's, you can lock yourself out.

This is from an earlier post of mine, but it may come in handy working on your project.:
I wrote a little script awhile ago to run a batch file from the server to quickly add users or groups to the Local Admin group of any computer in the Domain. It may be of some help to you:
Copy from the Windows 2000 Resource Kit or from http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/
the file cusrmgr.exe and put it in a folder of your choice. I recommend doing this from the domain controller but works from any workstation in the domain so long as you are logged in as a domain admin.
In the same folder create a batch file named Add.bat and insert the text below;
==========================================================================

:: Batch file to add username %1 to local Administrators group on Computer %2
Echo off
CLS
If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
Echo Add %1 to %2 >>UserAdd.log
cusrmgr.exe -m \\%2 -alg "Administrators" -u %1 >> UserAdd.log

==========================================================================
Now simply run by going to a command prompt. Change to the directory where you put your files and enter:
   Add username computername
You can substitute groupname for username. If there is a space such as Domain Users enclose in quotes: "Domain Users"
I thought the username had to be in username@domain.local but the basic name seems to work fine, if you have problems use the long form. No "\\" are necessary for the computername.
It will also create a log file named UserAdd.log where you can check for success or errors.
0
 
LVL 4

Assisted Solution

by:ansh_gupta
ansh_gupta earned 200 total points
ID: 16919576
Try rsop.msc and find out from where/what setting is applying to the concern area. Let me know if you haev any questions..
0
 
LVL 8

Author Comment

by:mvvinod
ID: 16919707
RSop shows nothing out of ordinary...
Domain admin and deskop admin group still hasnt shown up on the other computers...

I was not trying to add server's admin coz i entered it as administrators manually and did not use check name feature.

I know it is possible to remove domain admin if you wanted to and the machine lets you do it. i cannot add domain admin coz i dont have access to doing that....i will try that script later today and let you know..i suspect the script will work coz running the script as domain admins still does not give permission on the client machine to make those changes..

And we are only talking about these problems on the client. There is no problem with the server. I did not apply this to ou containing servers.

Vinod.
0
 
LVL 8

Author Comment

by:mvvinod
ID: 16919728
ANd i'm not even getting the error i talked about before. When i use mmc to view event logs of those machines, it shows security policy successfully applied.

This machine is in different OU than the machines above that i fixed by removing administrators.

Vinod.
0
 
LVL 8

Author Comment

by:mvvinod
ID: 16919757
Found the issue. Reran RSOP on correct machine in the OU and i found a restricted group that i created first on existing GPO which had no members. Deleted that group...

I will now wait 3 hours for my correct policy to get applied...Will keep you guys posted...

Vinod.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 16919853
>>"I was not trying to add server's admin coz i entered it as administrators manually and did not use check name feature."
I think it will only allow you to add domain accounts/groups

Do you have any of the accounts added to the local machines other than the local admin? You will have to be logged on as one of those accounts in order to add any user/group now, even the domain admin account because the domain admin no longer has rights over that machine. You can do remotely if you have a domain account with the local admin rights. If not you will have to log on as local admin to add even the domain admins.

>>"And we are only talking about these problems on the client. There is no problem with the server. I did not apply this to ou containing servers."
No I didn't think so it was just a "disclaimer" comment"

You can force policy application if you want to hurry things along on your test workstation with   gpupdate  /force    on XP
or using secedit on 2000.
0
 
LVL 4

Expert Comment

by:ansh_gupta
ID: 16919989
so what you wanna say rightnow.. The policies are right but the groups are not adding ?
0
 
LVL 8

Author Comment

by:mvvinod
ID: 16920003
I'm not sure about restricted group allowing only domain accounts to be added. I'm going to check on that...

But i think gpo should add domain admins coz gpo is not applied in the context of domain admin's permission...even if domain admin is not authoritative over the machine, group policy should get processed...

i dont have any other accounts and i dont even remember admin password for most computer accounts...and i dont have physical access to the machines...

So i just have to wait and see if domain admin gets added back....

I cannot login to workstation to do gpupdate....so i will just wait and see..

Vinod.
0
 
LVL 4

Expert Comment

by:ansh_gupta
ID: 16920138
OK. So what i get from he is that whatever you have defined as "members" in the restricted group policy shows a red x in RSOP i guess. Now there should be reaosn for the same in file %windir%\security\logs\winlogon.logs

Can you check the area in the log file which is trying add the group and erroring out. Please paste it here.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16920196
>>"But i think gpo should add domain admins coz gpo is not applied in the context of domain admin's permission...even if domain admin is not authoritative over the machine, group policy should get processed..."
Good point !

Curious to see how it goes.
I have used Restricted groups a fair amount. I have always heard how tricky they can be but haven't had any problems, however i have not varied from the norm much. This may prove t be a good learning experience for all.  <G>
0
 
LVL 8

Author Comment

by:mvvinod
ID: 16920934
ansh,
   I was trying to say that i had 2 gpo's with same restricted groups configured. One which had blank members and other the correct group as members. So i guess it caused a conflict. So now i made sure there was only 1 gpo that defines restricted groups and i'm waiting for gpo to be applied by its own.

I will post the results...

Vinod.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16924671
If you are using Restricted Groups to replace and enforce the local Administrator group membership you MUST include all the default members of this group to your policy - otherwise they are removed and enforced.

Removing Administrator is a bad idea.  You're going to break a ton of things locally.

You're going to have to get this working properly before you remove the policy - otherwise, you are going to have a lot of issues.

To use the "replace and enforce" method (using Administrators group as example):

Right click Restricted Groups and select Add Group.
Manually type in "Administrators" then click OK.  (exclude the quotes)
On the next applet, click the Add button beside "Members of this group"
Type in "Administrator" manually then OK.
Click Add again then Browse to the Domain Admins group, then OK.
Click Add again then Browse to your Domain group, then OK.
Click OK when you're done.

Always use the Browse button to add domain groups or users.  MANUALLY type in any LOCAL user that must be added.

Now....

To use the "add member" method that DOES NOT remove or enforce the membership of the group you are adding to:

Right Click Restricted Groups and select Add Group.
Browse to your domain group (the one you want to Add to Administrators), click OK.
On the next screen click Add beside the "This group is a member of"
Manually type "Administrators" then OK.  (exclude the quotes)
Click OK again to close.

Your domain group will now be added to the local Administrators group on every PC affected by the policy.  It's membership with the local Adminstrators group is enforced, HOWEVER, no other exisiting member of the local Administrators group will be removed or enforced.

This method simply adds the group selected and nothing else.

Hope this demystifies things a little.

NM


0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16924723
Nicely phrased Netman66. Thank you.
If you use the second option add member, i.e. ad to "this group is a member of" option, doesn't ignore the first option, add to "members of this group", or can you use both simultaneously? Perhaps that was the original 2000 GPO, pre 2000-SP2.
--Rob
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16924752
You should be able to use them both.

The top option removes current membership and replaces it with your list - then enforces it. *Just confirmed - yes*
The second option simply adds the group you are adding to Restricted Groups to whatever you select without removing current membership of the selected group.  The only thing enforced for this section is the membership of the Restricted Group to other groups in this pane.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 16924755
Oops...

*Just confirmed - yes* should have been after: You should be able to use them both.

Sorry!

NM

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16924769
Thanks Netman66.
I just confirmed, that I was confused yet again, the issue was apparently a problem with adding Domain Groups to local Groups using the "member of.." option with pre Win2K SP4. Since repaired.
--Rob
0
 
LVL 8

Author Comment

by:mvvinod
ID: 16925519
Netman66,
    Appreciate your time and effort. Here is my story and my version...

I did exactly what you had described in your steps and that is when i got the error 1388 i was talking about before... then i removed administrator from the group and left all domain group and it immediately worked...

After doing some research i found out that "Administrators" is special group. If you are using restricted group to control membership of administrators, no matter who is or not in the group, the restricted group will never remove local admin from that group. You can try it if you want....Thats what exactly happened to me in another OU. It still had local admin and no one else. It even removed domain admin.. Then i applied the correct policy and i saw domain admin and desktop admin group pop up....

So eventually all my problems are fixed and i appreciate all your help..

Vinod.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16926413
Thanks Vinod,
--Rob
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now