Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Restricted Groups issue

Posted on 2007-10-16
11
Medium Priority
?
1,463 Views
Last Modified: 2008-06-01
Hi,

I  have a group called "SophosAdministrator" in every machine in the Domain.This comes when the Sophos Antivirus is installed.My issue is there are users in the group...I want to remove everyone in the group on all machines in the OU ...

How do i do this..

Regards
Sharath
0
Comment
Question by:bsharath
  • 5
  • 5
11 Comments
 
LVL 85

Expert Comment

by:oBdA
ID: 20083872
Create or edit a GPO linked to this OU.
Go to Computer Configuration\Windows Settings\Security Settings\Restricted Groups.
Right-click the "Restricted Groups" node, choose "Add group".
As group name, enter "SophosAdministrator", and leave the "Configure membership for SophosAdministrator" empty.
When the GPO is applied the next time (reboot or gpupdate /target:computer), this group should be empty on the machines in the OU.
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 400 total points
ID: 20083883
I take it from the question title that this is a restricted group ?

Is this really the case ? If so and your really want to remove them you will need to edit the GPO and remove the users there (under Computer Configuration->Windows Settings->Security Settings->Restricted Groups


0
 
LVL 11

Author Comment

by:bsharath
ID: 20083939
I have OU structure as this.
OU Names
World  ( Here i have users)
Asia (here i have computers)
India (Here i have Users)
Computers (Here i have computers) ( I want to create a GPO for this to restrict)

So i need to go to Group Policy Management > Group policy objects and then create a new GPO.Or
Click on the Domain name in the Active directory users and computers and then right click go to Properties the Group policy > Open
If i create a GPO for computers will it not affect all the other Ou's or just it or all below it...aswell
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 85

Expert Comment

by:oBdA
ID: 20084006
The Restricted Groups policy will affect all *computer* accounts in or below the OU to which the GPO is linked.

This article is for Windows 2000, but the basics still apply:
Step-by-Step Guide to Understanding the Group Policy Feature Set
http://technet.microsoft.com/en-us/library/Bb742376.aspx

Group Policy Frequently Asked Questions (FAQ)
http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/faq.mspx

It doesn't seem that you have the GPMC installed; this makes group policy management easier (a bit confusing at first of you're used to the "old" method, but then a lot better)
Enterprise Management with the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
0
 
LVL 11

Author Comment

by:bsharath
ID: 20084104
Obda
I have a CN=Computers in which i have all my computers but i am not able to see in in GPMC...
I am able to see all the OU's
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1600 total points
ID: 20084139
That would be the standard Computers "folder" in ADUC, directly under your domain root?
Then this is *not* an OU, it's a container. ("CN=Computers,dc=..." instead of "OU=CompanyComputers,dc=..." or whatever), and GPOs can only be applied to OUs, not to containers.
That leaves you with 2 options:
1. Link your GPO to the domain root (from where it will by default apply to *all* computer objects in your organisation); to restrict the GPO to certain machines, implement security group filtering (see link below for details), that is, remove "Authenticated Users" from the GPO's Read and Apply permissions, add a security group with these permissions instead, and add all computer accounts to which the GPO should apply to this group.
2. Create a dedicated OU for your computer accounts, move the computers in there, and link the GPO to this OU. As usual when moving objects in AD, make sure this doesn't have unintended consequences.

How to Implement Group Policy Security Filtering
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
0
 
LVL 11

Author Comment

by:bsharath
ID: 20084160
last Q...
>> make sure this doesn't have unintended consequences.

Just to clarify what can be the problems that i may face if i move computers from 1 Ou to another or 1 CN to another OU...
0
 
LVL 11

Author Comment

by:bsharath
ID: 20084181
Odba  in a esiting group if i need to add a user what do i do...
Sorry just tried a test OU and added a user but all the users in the group got removed.

0
 
LVL 85

Expert Comment

by:oBdA
ID: 20084184
Note that the following list is not exhaustive; the only one who knows details about your AD is you and your fellow colleagues.

As far as group policies are concerned, it depends on where you create the new OU; if you do this under an existing OU to which you already have applied GPOs containing computer configuration, then these policies will now be applied to the moved computers. If you create the new OU directly under the domain root, then nothing should change as far as GPOs are concerned.

Then there's the permissions issue. If you have delegated permissions to the Computers container to groups or users, then these permissons should be assigned to the new OU as well.

Then there might be scripts or customized MMCs that are wired to the Computers CN.
0
 
LVL 11

Author Comment

by:bsharath
ID: 20084206
0
 
LVL 85

Expert Comment

by:oBdA
ID: 20084212
Hm? Sorry, I don't quite get what you did or what you want to accomplish.
Do you want some users to be in the "SophosAdministrator" group after all?
If so, then create a global group "G-SophosAdministrators" or whatever; add the users to this group.
Change the restricted group policy "SophosAdministrator" that's currently removing the members of the local group "SophosAdministrator", so that the "Configure membership for SophosAdministrator" tab now has "G-SophosAdministrators" in the "This group has the following members" field.
The GPO will then add the global group "G-SophosAdministrators" to the local group "SophosAdministrator", and members of the global group will have the necessary permissions (or whatever this group is used for).
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question