• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 495
  • Last Modified:

Local Admin account being removed from XP machines while using restricted groups in Group Policy

I'm using Restricted Groups to XP machines to allow Domain Admins admin rights to all boxes in domain via GP.  However, when this policy is applied, the local admin account is being removed.  This blocks support team from logging in to pc's locally to trouble shoot.  How do I manage the GP so that it doesn't remove the local admin account?
0
stvbrx
Asked:
stvbrx
1 Solution
 
Kevin HaysIT AnalystCommented:
If you follow this link then everything should work without any questions.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

I'm assuming you are probably just missing 1 step is all as it could be confusing when you first try and setup the restricted groups.

0
 
KCTSCommented:
Make sure you "Merge" and do not "Replace"
0
 
stvbrxAuthor Commented:
KCTS,
Meaning that I should have a Loopback in place?
0
 
grayeCommented:
Sorry, that's just how the Restricted Groups feature works.   It completely replaces the contents of the group with whatever you've put in the GPO.   It does not do a "merge", it allways does a "replace".

The easiest way to merely add an account to the local Administrators group would be to use a Startup batch file with the following:

net localgroup /add Administrators [domain\group] > nul 2>nul

BTW:  Domain Admins should  have already been a member of the local Adminstrators group
0
 
stvbrxAuthor Commented:
Very disappointed that I can't make this work via GP.  Thanks for all your help!
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now