• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2579
  • Last Modified:

Restricted Groups not working !!!! Also causing problems !!!

Hi,  
  I created a restricted group today for administrators. I added administrator, domain admin and another group called desktop admins that exist in active directory.

I see that no computers have the policy in effect yet. Its more than 8 hours since i configured the policy....

Also the first time i tried this, i was editing an exisitng gpo (BIG BIG MISTAKE) and i think because of that some machines have lost domain admins from the local admin group. I cant exactly figure out how that happened but i can see that the policy is not taking effect coz my other computers DO NOT show desktop admins group in local admin...

Anybody has any ideas ???

I have already done gpupdate /force, restarted the machine and still no luck. I verifed and verified again that gpo is assigned to ou comtaining computers.

Thanks!!

Vinod.
0
mvvinod
Asked:
mvvinod
  • 9
  • 8
  • 3
  • +2
3 Solutions
 
Jay_Jay70Commented:
restricted groups can be tricky......

first run a gpresult on the clients and make sure your policy is in effect. Also, put this in a separeate policy, do not leave this sitting on your default one...bad bad idea

read this also
http://support.microsoft.com/?id=810076
0
 
mvvinodAuthor Commented:
I found out what the problem was. I enabled verbose logging and found out this error on client log

Error 1388: A new member could not be added to a local group because the member has the wrong account type

I removed administrators from the member of restricted group and left only domain admin and desktop admin and refreshed the policy and it worked immediately and i saw the membership..

I still dont know what happened to the machine that tool domain admin out completely. I'm going to work on it...

I will keep you posted..

But doesnt all documents for restricted groups says to add builtin administrator to the restricted groups "Administrators" ????? Did i miss something ??

Vinod.
0
 
Rob WilliamsCommented:
Local workstations will have the local admin account and the Domain admin account by default.
Your problem may have been adding users and a group. I haven't tried adding a group but it handles it them differently. I would recommend adding just 1 group (to which you can add whatever users you want) or add individual users to the restricted group.
Supposedly if you add a group rather than users, you can add individual users at the workstation level without them being overwritten every tome group policy is refreshed. Adding single users to restricted groups will wipe out individual users (except lcl admin and dom admin) every time the policy is refreshed.
Perhaps Jay_Jay70 has tested that.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Jay_Jay70Commented:
you can use the "member of" option rather than members (i think - may have it mixed up again) and it won't erase your groups
0
 
Rob WilliamsCommented:
I must apologize. I just tested the theory above. It came up in a post awhile ago. Upon testing it is not as I described but they were referring to making the restricted group  "a member of" (lower option) rather than adding members to.
0
 
Rob WilliamsCommented:
You just got the jump on me, sorry i didn't refresh. I have been off testing.
I wasn't implying you had posted it before James, it was someone else, I was wondering if you knew the answer. I am the one who was confused.
0
 
Jay_Jay70Commented:
tis cool my friend, netman helped me out with this as the link i posted had me confused for a bit as well :)
0
 
mvvinodAuthor Commented:
I DO want to wipe out any users/groups that may exist in local administrator. That is my point of configuring this...
I really had 2 problems....1 got 1 of them fixed by removing administrator from "Administrators" restricted group. I dont know why it worked. but it worked. I was under the impression that i needed to define the member of the "administrators" group completely. I also found out that even if i dont add administrator(builtin), the restricted groups do not remove them.....

So i would like to know why i cannot add administrator to "administrators" group and why is is erroring out due to the fact that i added...

My next problem would be on workstations where "Domain admin" completely disappeared from local admin group. Those workstations are not physically accessable by me. I just wish that after refresh period, domain admins would come on as forced by restricted groups...

I will post you tomorrow about the result of those machines.

Vinod.
0
 
Rob WilliamsCommented:
It must be a conflict, to try and add Administrator, then again, when adding the administrator within Group Policy, you would be trying to add the server's Administrator, not the local Administrator.
I also don't know why you would loose Domain Admins, I thought they remained by default. You can however add them to the restricted group. That does work.
Note: just remember to be careful with restricted groups. If you accidentally apply it to the wrong OU, one containing your DC's, you can lock yourself out.

This is from an earlier post of mine, but it may come in handy working on your project.:
I wrote a little script awhile ago to run a batch file from the server to quickly add users or groups to the Local Admin group of any computer in the Domain. It may be of some help to you:
Copy from the Windows 2000 Resource Kit or from http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/ 
the file cusrmgr.exe and put it in a folder of your choice. I recommend doing this from the domain controller but works from any workstation in the domain so long as you are logged in as a domain admin.
In the same folder create a batch file named Add.bat and insert the text below;
==========================================================================

:: Batch file to add username %1 to local Administrators group on Computer %2
Echo off
CLS
If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
Echo Add %1 to %2 >>UserAdd.log
cusrmgr.exe -m \\%2 -alg "Administrators" -u %1 >> UserAdd.log

==========================================================================
Now simply run by going to a command prompt. Change to the directory where you put your files and enter:
   Add username computername
You can substitute groupname for username. If there is a space such as Domain Users enclose in quotes: "Domain Users"
I thought the username had to be in username@domain.local but the basic name seems to work fine, if you have problems use the long form. No "\\" are necessary for the computername.
It will also create a log file named UserAdd.log where you can check for success or errors.
0
 
ansh_guptaCommented:
Try rsop.msc and find out from where/what setting is applying to the concern area. Let me know if you haev any questions..
0
 
mvvinodAuthor Commented:
RSop shows nothing out of ordinary...
Domain admin and deskop admin group still hasnt shown up on the other computers...

I was not trying to add server's admin coz i entered it as administrators manually and did not use check name feature.

I know it is possible to remove domain admin if you wanted to and the machine lets you do it. i cannot add domain admin coz i dont have access to doing that....i will try that script later today and let you know..i suspect the script will work coz running the script as domain admins still does not give permission on the client machine to make those changes..

And we are only talking about these problems on the client. There is no problem with the server. I did not apply this to ou containing servers.

Vinod.
0
 
mvvinodAuthor Commented:
ANd i'm not even getting the error i talked about before. When i use mmc to view event logs of those machines, it shows security policy successfully applied.

This machine is in different OU than the machines above that i fixed by removing administrators.

Vinod.
0
 
mvvinodAuthor Commented:
Found the issue. Reran RSOP on correct machine in the OU and i found a restricted group that i created first on existing GPO which had no members. Deleted that group...

I will now wait 3 hours for my correct policy to get applied...Will keep you guys posted...

Vinod.
0
 
Rob WilliamsCommented:
>>"I was not trying to add server's admin coz i entered it as administrators manually and did not use check name feature."
I think it will only allow you to add domain accounts/groups

Do you have any of the accounts added to the local machines other than the local admin? You will have to be logged on as one of those accounts in order to add any user/group now, even the domain admin account because the domain admin no longer has rights over that machine. You can do remotely if you have a domain account with the local admin rights. If not you will have to log on as local admin to add even the domain admins.

>>"And we are only talking about these problems on the client. There is no problem with the server. I did not apply this to ou containing servers."
No I didn't think so it was just a "disclaimer" comment"

You can force policy application if you want to hurry things along on your test workstation with   gpupdate  /force    on XP
or using secedit on 2000.
0
 
ansh_guptaCommented:
so what you wanna say rightnow.. The policies are right but the groups are not adding ?
0
 
mvvinodAuthor Commented:
I'm not sure about restricted group allowing only domain accounts to be added. I'm going to check on that...

But i think gpo should add domain admins coz gpo is not applied in the context of domain admin's permission...even if domain admin is not authoritative over the machine, group policy should get processed...

i dont have any other accounts and i dont even remember admin password for most computer accounts...and i dont have physical access to the machines...

So i just have to wait and see if domain admin gets added back....

I cannot login to workstation to do gpupdate....so i will just wait and see..

Vinod.
0
 
ansh_guptaCommented:
OK. So what i get from he is that whatever you have defined as "members" in the restricted group policy shows a red x in RSOP i guess. Now there should be reaosn for the same in file %windir%\security\logs\winlogon.logs

Can you check the area in the log file which is trying add the group and erroring out. Please paste it here.

0
 
Rob WilliamsCommented:
>>"But i think gpo should add domain admins coz gpo is not applied in the context of domain admin's permission...even if domain admin is not authoritative over the machine, group policy should get processed..."
Good point !

Curious to see how it goes.
I have used Restricted groups a fair amount. I have always heard how tricky they can be but haven't had any problems, however i have not varied from the norm much. This may prove t be a good learning experience for all.  <G>
0
 
mvvinodAuthor Commented:
ansh,
   I was trying to say that i had 2 gpo's with same restricted groups configured. One which had blank members and other the correct group as members. So i guess it caused a conflict. So now i made sure there was only 1 gpo that defines restricted groups and i'm waiting for gpo to be applied by its own.

I will post the results...

Vinod.
0
 
Netman66Commented:
If you are using Restricted Groups to replace and enforce the local Administrator group membership you MUST include all the default members of this group to your policy - otherwise they are removed and enforced.

Removing Administrator is a bad idea.  You're going to break a ton of things locally.

You're going to have to get this working properly before you remove the policy - otherwise, you are going to have a lot of issues.

To use the "replace and enforce" method (using Administrators group as example):

Right click Restricted Groups and select Add Group.
Manually type in "Administrators" then click OK.  (exclude the quotes)
On the next applet, click the Add button beside "Members of this group"
Type in "Administrator" manually then OK.
Click Add again then Browse to the Domain Admins group, then OK.
Click Add again then Browse to your Domain group, then OK.
Click OK when you're done.

Always use the Browse button to add domain groups or users.  MANUALLY type in any LOCAL user that must be added.

Now....

To use the "add member" method that DOES NOT remove or enforce the membership of the group you are adding to:

Right Click Restricted Groups and select Add Group.
Browse to your domain group (the one you want to Add to Administrators), click OK.
On the next screen click Add beside the "This group is a member of"
Manually type "Administrators" then OK.  (exclude the quotes)
Click OK again to close.

Your domain group will now be added to the local Administrators group on every PC affected by the policy.  It's membership with the local Adminstrators group is enforced, HOWEVER, no other exisiting member of the local Administrators group will be removed or enforced.

This method simply adds the group selected and nothing else.

Hope this demystifies things a little.

NM


0
 
Rob WilliamsCommented:
Nicely phrased Netman66. Thank you.
If you use the second option add member, i.e. ad to "this group is a member of" option, doesn't ignore the first option, add to "members of this group", or can you use both simultaneously? Perhaps that was the original 2000 GPO, pre 2000-SP2.
--Rob
0
 
Netman66Commented:
You should be able to use them both.

The top option removes current membership and replaces it with your list - then enforces it. *Just confirmed - yes*
The second option simply adds the group you are adding to Restricted Groups to whatever you select without removing current membership of the selected group.  The only thing enforced for this section is the membership of the Restricted Group to other groups in this pane.

0
 
Netman66Commented:
Oops...

*Just confirmed - yes* should have been after: You should be able to use them both.

Sorry!

NM

0
 
Rob WilliamsCommented:
Thanks Netman66.
I just confirmed, that I was confused yet again, the issue was apparently a problem with adding Domain Groups to local Groups using the "member of.." option with pre Win2K SP4. Since repaired.
--Rob
0
 
mvvinodAuthor Commented:
Netman66,
    Appreciate your time and effort. Here is my story and my version...

I did exactly what you had described in your steps and that is when i got the error 1388 i was talking about before... then i removed administrator from the group and left all domain group and it immediately worked...

After doing some research i found out that "Administrators" is special group. If you are using restricted group to control membership of administrators, no matter who is or not in the group, the restricted group will never remove local admin from that group. You can try it if you want....Thats what exactly happened to me in another OU. It still had local admin and no one else. It even removed domain admin.. Then i applied the correct policy and i saw domain admin and desktop admin group pop up....

So eventually all my problems are fixed and i appreciate all your help..

Vinod.
0
 
Rob WilliamsCommented:
Thanks Vinod,
--Rob
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
  • 8
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now