Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Local Admin account being removed from XP machines while using restricted groups in Group Policy

Posted on 2008-06-18
5
Medium Priority
?
491 Views
Last Modified: 2010-04-21
I'm using Restricted Groups to XP machines to allow Domain Admins admin rights to all boxes in domain via GP.  However, when this policy is applied, the local admin account is being removed.  This blocks support team from logging in to pc's locally to trouble shoot.  How do I manage the GP so that it doesn't remove the local admin account?
0
Comment
Question by:stvbrx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 16

Expert Comment

by:Kevin Hays
ID: 21812436
If you follow this link then everything should work without any questions.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

I'm assuming you are probably just missing 1 step is all as it could be confusing when you first try and setup the restricted groups.

0
 
LVL 70

Expert Comment

by:KCTS
ID: 21812444
Make sure you "Merge" and do not "Replace"
0
 

Author Comment

by:stvbrx
ID: 21812467
KCTS,
Meaning that I should have a Loopback in place?
0
 
LVL 41

Accepted Solution

by:
graye earned 1500 total points
ID: 21813089
Sorry, that's just how the Restricted Groups feature works.   It completely replaces the contents of the group with whatever you've put in the GPO.   It does not do a "merge", it allways does a "replace".

The easiest way to merely add an account to the local Administrators group would be to use a Startup batch file with the following:

net localgroup /add Administrators [domain\group] > nul 2>nul

BTW:  Domain Admins should  have already been a member of the local Adminstrators group
0
 

Author Closing Comment

by:stvbrx
ID: 31468314
Very disappointed that I can't make this work via GP.  Thanks for all your help!
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question