ad gpo help rights

I have a client that has a active directory structure at the toop of a ou he has a gpo that gives full rights to him and his admin to the server that are added to this gpo, but when he applied this all the other admin rights that are applied are revoked. He wants to loeave that him and his admin have full rights but wants to have the ability for other clients the ability to have full rights to certain server
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Not sure I 100% understand the question. There were already specific settings set in GPO that are now nonexistent once he applied this change?
If that is the case, it sounds like his GPO is replacing permissions set on another GPO further up the line.
zenworksbAuthor Commented:
I am sorry here is the situation.

He has a OU that he has applied a GPO that will have full rights to the servers that are added to teh GPO in container server

when this is applied it works and everything is great. But he has local rights on the server with users that are in teh administrator group on that server. When he applies the gpo it removes all of this and just replaces with teh users in the GPO. Is there a way to have both?
Not that I'm aware. Sounds like GPO is doing what it was designed to do by applying the settings he specified to that machine. He will need to add those users to the GPO as well.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

bluntTonyHead of ICTCommented:
Are you talking about a Restricted Groups policy? In that case, the GPO setting you have used is the wrong one. It sounds like you've defined the local group on the server and added the users to this. This make ONLY those users members of this local group.
Say for example, you want to add the group Admins1 to the local Administrators group on the server, but want to leave the existing members intact:
1. In the Restricted Groups policy. Create a new group, and enter DOMAIN\Admins1.  (where DOMAIN is your domain name)
2. Then in the next dialogue, you use the 'This group is a member of' section. Add the local 'Administrators' group to this section at the bottom. This will add DOMAIN\Admins1 to the local group but will leave the other members in the group.
Hope this helps..


Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
If I understand your situation correctly...It sounds like he is using a restricted groups setting, correct? Why couldn't he just add his account or any account he wants to the Administrator group in the restricted groups settings? Then his account and any others he specifies will always be applied.

GPO's are applied in this order: Local > Site > Domain > OU. OU's being the last policy that is applied and therefore the highest ranking.  

Unless your saying he wants each server to have different members in the Administrators group. In that case, you could either create more OU's or don't even configure restricted groups. Is there any rhyme or reason to who get's administrator right to a particular server? If not, then not bothering with restriced groups might be easier to administer then creating a bunch of OU's.

If there is some structure to who get's admin rights you could create an OU called 'Web Servers' and another called 'File Servers' and make a seperate OU for each with the appropriate members/groups.
zenworksbAuthor Commented:
so in the restricted groups we have one and that applies and works but we create another one and it still only applies the top one and does not add anyone else?
bluntTonyHead of ICTCommented:
Do not define the local group using the top section. This section defines the members of the local group, and no-one else. It says 'these are the members of this local group, and nobody else', hence 'Restricted Groups'.
You want to add users/groups to the group without restricting others. Just use the bottom section as described. This says 'these domain groups/users are to be added to the specified local group(s)'.
Although I've never done it, if you define both of the above in the same GPO, I would say that the restrictive setting overrules...
Please let me know if I have misunderstood.
zenworksbAuthor Commented:
i think you do understand. I went into the gpo setting and removed teh top part and put the group I want in the bottom part and refreshed and it did not remove anyone, but it removed that group so that group was never present?
bluntTonyHead of ICTCommented:
I'm not sure I understand. Are you saying that the other default groups have come back, but the one you are trying to add is not being added?
I would remove the current setting completely and start again. Select 'Add Group' and enter the DOMAIN group, i.e. DOMAIN\groupname. Then, in the properties for this group, in the bottom section, add the name of the local group, i.e. Administrators.
This will add the group to the existing members. Also ensure that the GPO is actually applying by using gpresult.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.